On February 3, 2025, Nepal’s Institute of Engineering (IOE) experienced a significant security breach that exposed the personal details of 7,400 students. The compromised information—including names, addresses, birth dates, and phone numbers—was later advertised for sale on the dark web. This breach affected not only the main institute but also its affiliated entities such as Pulchowk Campus, Thapathali Campus, WRC, ERC, and several private colleges under its umbrella.

 Rather than being a mere technical glitch, this incident highlights a deep-seated neglect of cybersecurity—a particularly alarming issue given IOE’s leading role in offering Nepal’s Master’s program in Computer Engineering with a specialization in Network and Cybersecurity.

What Led to the Breach?

1. Systemic Negligence and Outdated Systems

It is concerning that an institution dedicated to training future cybersecurity experts fails to protect its own systems. This breach exposes several systemic issues.

Mismatch Between Learning and Application:
Although the curriculum covers advanced cybersecurity concepts, the institution falls short in applying even the basic security measures needed to safeguard its digital infrastructure.

Inadequate Security Measures:
Many of IOE’s websites lack essential protections. They are missing proper SSL encryption, do not use modern and secure software packages, and fail to undergo robust security testing procedures.
(Note: Some reported issues might be false positives or not pose immediate threats.)

Superficial Penetration Testing Practices:
A recent account from an IOE employee indicates that the security teams rely heavily on automated tools like ZAP Proxy to generate reports. These reports are then presented as comprehensive penetration tests, but they bypass crucial manual review and remediation steps, creating an illusion of security.

2. A Culture of Complacency

Despite its focus on advanced cybersecurity education, IOE’s administrative and technical teams often treat security measures as mere formalities. Some insiders have even noted that “no one is serious about security,” revealing a stark disconnect between what is taught and what is practiced.

In the rush to digitize services, especially following the COVID-19 pandemic, the institution has prioritized speed over safety, neglecting necessary investments in system security. This mirrors a broader national issue, where comprehensive data protection laws remain underdeveloped.

Additionally, a general lack of security awareness among staff and management further compounds the institution’s vulnerabilities.

3. Underutilized Cybersecurity Expertise

IOE’s cybersecurity students receive training in vulnerability assessment, penetration testing, digital forensics, and network defense. However, they are not actively engaged in protecting the institution’s own systems. This not only deprives them of essential hands-on experience but also misses a valuable opportunity to strengthen internal security.

Moreover, by failing to involve both students and faculty in security efforts, IOE loses the chance to combine academic knowledge with practical application, resulting in a significant lost opportunity for collaboration.

A Student’s Viewpoint

It is profoundly disheartening to attend an institution that boasts a Bachelor’s program in Computer Engineering , yet cannot secure the personal data of its students. The irony is unmistakable: an establishment dedicated to cybersecurity is now under scrutiny for its own negligence. As a student, realizing that my personal information has been compromised due to these oversights is both frustrating and disappointing. This breach represents not just a technological failure but also a significant breakdown in responsibility and accountability, calling into question the institution’s credibility and its commitment to practicing what it teaches.

Moving Forward: Recommendations for IOE

1. Immediate Corrective Actions:

 Begin by conducting a comprehensive audit of all systems and websites to identify any vulnerabilities.

Next, implement basic security protocols. This involves installing SSL certificates where necessary, updating outdated and vulnerable software packages, and establishing regular, systematic security patching.

Additionally, inform and protect affected students by notifying those impacted and offering clear guidance on how to mitigate potential risks.

By addressing these issues promptly and effectively, IOE can begin to rebuild trust and demonstrate its commitment to both cybersecurity education and practice.

2. Structural Reforms

Establish a Cybersecurity Task Force:
Form a dedicated team comprising faculty, students, and external experts. This team will conduct system audits, prioritize remedial actions, and ensure accountability.

Capitalize on Student Expertise:
Integrate practical, real-world projects into the curriculum. For instance, consider launching bug bounty programs that reward students for uncovering vulnerabilities in IOE’s systems. Additionally, collaborate with IT departments for capstone projects aimed at revamping insecure portals or implementing intrusion detection systems (IDS). Use the institution’s own systems as case studies to further enhance practical learning.

Adopt Recognized Security Frameworks:
Align the institution with international standards such as NIST or ISO 27001. These frameworks emphasize continuous monitoring, regular risk assessments, and a proactive approach to security.

3. Cultural Transformation

Implement Mandatory Security Training:
Require all staff and students to complete comprehensive training on phishing detection, proper password practices, and data privacy.

Promote Transparency and Accountability:
Publish detailed post-incident reports and updates on remediation efforts. This openness will help rebuild and maintain trust.

Advocate for Stronger Data Protection Policies:
Encourage efforts to push for long-overdue data protection laws in Nepal. A stronger regulatory framework is essential for overall security.

Leveraging Student Expertise

Security Research Lab:
Establish a lab where students lead research projects focused on identifying and mitigating security vulnerabilities.
Conduct thorough assessments of the institution’s systems and develop innovative security tools and solutions.

Internship Program:
Create rotating security roles for students within the institution.
Provide mentorship from industry professionals to bridge academic theory and real-world application.

Security Consulting Team:
Form student-faculty teams dedicated to performing regular security assessments and offering actionable recommendations.
Ensure that findings and solutions are systematically documented and shared across the institution.

Call to Action

The recent breach at IOE is a stark wake-up call. As a student in the cybersecurity program, I urge the institution to put its teachings into practice.

To IOE Administrators:
Stop relying solely on automated reports. Engage students, invest strategically in infrastructure, and treat security as a core institutional value.

To Fellow Students:
Hold the administration accountable. Use your skills to audit systems, propose improvements, and demand greater transparency.

The time for excuses has passed. It’s time to secure our future—starting right here on our campus.

Conclusion

The data breach at IOE clearly highlights systemic shortcomings in cybersecurity within Nepal’s educational institutions. Despite offering advanced cybersecurity courses, the failure to protect institutional systems is alarming.

This incident must serve as a catalyst for change. It is not only an opportunity to strengthen technical defenses but also to foster a security-aware culture among staff and students.

By leveraging internal cybersecurity talent, enforcing strict security policies, and collaborating with industry experts, IOE can transform this crisis into a model for excellence in the education sector.

The crucial question remains: Will IOE take decisive action now, or continue to overlook security until another breach forces its hand?